This isn’t a feature that’s offered ‘out of the box’.
With this said, every session that starts on a cluster goes into the audit log with a
session.start event and the UUID of the session. One way I can think of to achieve what you’re asking for would be to have some kind of agent which monitors this audit log and automatically runs
tsh join <uuid> on each session that it sees. It could then monitor what was being typed in real time and theoretically alert if it detects a certain string being typed.
There are a number of caveats with this:
It wouldn’t be tremendously effective as there are a number of ways to obfuscate commands typed into a terminal so that they won’t match a simple string comparison. There is also the possibility of uploading a script containing malicious code and running it without ever typing
rm -rf --no-preserve-root / or whatever…
The audit log is only saved on a per-cluster basis, so you would need to run one of these ‘monitoring agents’ in every Teleport cluster you wanted alerts from.
The audit process would also need to be able to log into Teleport itself and would need permission to log into a terminal as any user that might potentially start a session. This aim could probably be satisfied by issuing a long-lived certificate on each auth server, but it would need to have all potential usernames encoded into it (so if you used individual UNIX usernames for each user and had a large user base this would be hard to maintain)
I’m not actually sure at what point the compressed chunks of the audit log are synced onto the disk by the Teleport node, but if it happens reasonably often then another option might be to tail any new chunk logs in real time and have a process that alerts based on what it sees.